Article Content

Digital Attestation signing requires new executables on the latest Windows operating systems, such as Windows 10, be digitally signed. If these are not submitted for signing, it can prevent the installation of unsigned executables, like the NetWitness Endpoint agent, on any, or possibly all, endpoints.

See the image below for a sample of a signed driver:

Cause

Windows 10 introduced a new type of driver signing for Windows executables with builds after 1607. The reason behind this was to protect executables running in kernel space. NetWitness Endpoint uses a Kernel Mode driver that exists in kernel space, so it falls under the requirements of the Attestation Signing process for Windows 10.

Resolution

All NetWitness Endpoint agents have driver attestation signing in the latest versions of NetWitness Endpoint, including 4.3.0.6 and later versions. If a signed driver is missing attestation signing as seen in the Issue section, it must be reported to engineering as a regression bug so a version of the build can be released that includes properly signed agent drivers.

The fact the agent executable is actually signed is not the same as the executable created by the packager. The actual executable is generated automatically during the wrapping process of the installer, so the EcatServiceAgent.exe, or whatever name the executable for the agent is given, does not show driver signing, nor should it. An example of this is shown below AND SHOULD BE IGNORED!

Workaround

There is no workaround, other than having the drivers digitally signed by engineering.